threat_modelling
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revisionNext revisionBoth sides next revision | ||
threat_modelling [2019/08/06 17:37] – neil | threat_modelling [2019/08/09 11:29] – neil | ||
---|---|---|---|
Line 10: | Line 10: | ||
You’ll sometimes see this described as “threat modelling” or understanding your "risk scenario" | You’ll sometimes see this described as “threat modelling” or understanding your "risk scenario" | ||
- | ====Why do you care?==== | + | ====Key points ====Â |
+ | * [[threat_modelling# | ||
+ | * [[threat_modelling# | ||
+ | * [[threat_modelling# | ||
+ | * [[threat_modelling# | ||
+ | * [[threat_modelling# | ||
+ | * [[threat_modelling# | ||
+ | * [[threat_modelling# | ||
+ | Â | ||
+ | ====What are trying to protect?==== | ||
The reason you do this is that, without knowing the threats against which you’re trying to protect, you don’t know what mitigations you need to have in place. And, since you probably can’t do everything at once, you’ll need to understand what are the greatest threats you face, and so which are deserving of the greatest attention, and what measures are “nice to haves”, which could be done at some point in the future. | The reason you do this is that, without knowing the threats against which you’re trying to protect, you don’t know what mitigations you need to have in place. And, since you probably can’t do everything at once, you’ll need to understand what are the greatest threats you face, and so which are deserving of the greatest attention, and what measures are “nice to haves”, which could be done at some point in the future. | ||
Line 28: | Line 37: | ||
Or are you just generally concerned about holding up the confidentiality of your clients’ matters, and ensuring that clients can communicate with you in a reasonably secure manner, to take advantage of their right to seek independent, | Or are you just generally concerned about holding up the confidentiality of your clients’ matters, and ensuring that clients can communicate with you in a reasonably secure manner, to take advantage of their right to seek independent, | ||
+ | |||
+ | ====Create an information asset register ==== | ||
+ | |||
+ | In a spreadsheet, | ||
+ | |||
+ | Against each device and service: | ||
+ | * identify what data might be stored on it | ||
+ | * state who is permitted to access it | ||
+ | * describe the risks that it might face (for example, that you might lose your computer, leading to someone else getting access to the data on it, and you being unable to work on client files because the only copy is on the computer) | ||
+ | * describe the security measures currently in place to protect against those risks | ||
+ | * if relevant, state who is responsible for keeping it updated and ensuring it is wiped or destroyed properly at the end of its life | ||
+ | |||
+ | Keep this up to date, amending it as you add and remove devices from your firm. | ||
+ | |||
====Who is your threat?==== | ====Who is your threat?==== | ||
Line 39: | Line 62: | ||
Once you’ve identified why you might be of interest, and who you might be defending against, the next step is to identify how you might be vulnerable. | Once you’ve identified why you might be of interest, and who you might be defending against, the next step is to identify how you might be vulnerable. | ||
- | Other pages discuss different areas in which a lawyer or a law firm might be open to attack, and give some examples of mitigations and defences. | + | You might find the European Union Agency for Cybersecurity' |
- | When you’ve got a list of risks and potential mitigations, | + | ====Prioritise |
- | Â | + | |
- | ====Prioritising | + | |
Chances are, you'll have quite a few risks on your list, so you'll want to prioritise your approach to tackling them. | Chances are, you'll have quite a few risks on your list, so you'll want to prioritise your approach to tackling them. | ||
Line 52: | Line 73: | ||
- | ====Writing | + | ====Write it down==== |
You might find it useful to [[documenting_policies_and_processes|write this down]], so that you have a register of threats and risks, with reasons why you have included, or excluded certain things. | You might find it useful to [[documenting_policies_and_processes|write this down]], so that you have a register of threats and risks, with reasons why you have included, or excluded certain things. | ||
- | ====Repeating | + | ====Make this a regular thing====Â |
- | You probably want to make this appraisal a regular exercise — perhaps yearly, or even more frequently. | + | You probably want to make this appraisal a regular exercise — perhaps yearly, or even more frequently, depending on the likelihood of a risk arising, and the severity of the impact if it did. |
If you think you fall into a higher risk category, it is probably something you’ll want to do even more often than that. | If you think you fall into a higher risk category, it is probably something you’ll want to do even more often than that. | ||
+ | |||
+ | If you have a compliance calendar, to help you meet your numerous regulatory obligations, |
threat_modelling.txt · Last modified: 2021/10/15 10:25 by neil